Skip to content

Security: many-things/ion-dao-contracts

Security

SECURITY.md

DAO DAO bug reporting and feature requests

The DAO DAO core development team uses GitHub to manage feature requests and bugs. This is done via GitHub Issues.

Triage and progress πŸ”œ

Issues added to GitHub will be triaged as they come in.

Tracking of in-flight issues will be done through the DAO DAO project board, but of course we reserve the right to not make a public issue if there is a security implication in doing so.

Feature request πŸš€

For a feature request, e.g. module inclusion, please make a GitHub issue. Clearly state your use case and what value it will bring to other users of DAO DAO.

Standard priority bug πŸ›

For a bug that is non-sensitive and/or operational in nature rather than a critical vulnerability, please add it as a GitHub issue.

If it is not triaged in a couple of days, feel free to tag @Ben2x4, @ekez, or @jakehartnell.

Critical bug or security issue πŸ’₯

If you're here because you're trying to figure out how to notify us of a security issue, go to Discord, and alert the core engineers:

  • Jake (Meow) Meow Stargaze βœ¨πŸ”­#1736
  • Alex (the-frey) the-frey#8626
  • ben2x4 Ben2x4#4071
  • ekez ekez#9732
  • elsehow elsehow#1825

Please avoid opening public issues on GitHub that contain information about a potential security vulnerability as this makes it difficult to reduce the impact and harm of valid security issues.

Coordinated Vulnerability Disclosure Policy

We ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed. In addition to this, we ask that you:

  • Allow us a reasonable amount of time to correct or address security vulnerabilities.
  • Avoid exploiting any vulnerabilities that you discover.
  • Demonstrate good faith by not disrupting or degrading Juno’s network, data, or services.

Vulnerability Disclosure Process

DAO DAO uses the following disclosure process:

  • Once a security report is received, the DAO DAO core development team works to verify the issue.
  • Patches are prepared for eligible releases in private repositories.
  • We notify the community that a security release is coming. Notifications can include Discord messages, tweets, and emails to partners.
  • 24 hours following this notification, the fixes are applied publicly and new releases are issued.
  • Once releases are available for DAO DAO, we notify the community, again, through the same channels as above. We also publish a Security Advisory on Github, as long as the Security Advisory does not include any information on how to exploit these vulnerabilities beyond what information is already available in the patch itself.
  • Once the community is notified, we will pay out any relevant bug bounties to submitters.
  • One week after the releases go out, we will publish a post with further details on the vulnerability as well as our response to it.

This process can take some time. Every effort will be made to handle the bug in as timely a manner as possible. However, it's important that we follow the process described above to ensure that disclosures are handled consistently and to keep DAO DAO and Juno secure.

There aren’t any published security advisories